Crowdstrike published an incident with a corresponding "Crowdscore" in our console, but we were unable to find anything related to it in Red Canary. Am I missing something?
In regard to incidents1, as defined by Crowdstrike:
Incidents are made of detections, associated processes, and the connections between them, which can include parent-child relationships, thread injections, and lateral movement.
Red Canary does not collect the "incident" itself, but does collect telemetry that may be related to an incident that was published in the Crowdstrike console. As of now, Red Canary does not collect the Crowdscore or related metadata either as that information is not part of the scope of the API key used by Red Canary for event forwarding.
To gain a better idea of the types of data that Red Canary does collect, please refer to the following Crowdstrike article (user will need to be authenticated to their Crowdstrike instance in order to access documentation):
Falcon Data Replicator (Falcon 1)
Falcon Data Replicator (Falcon 2)
1 Note: the linked URL redirects to Falcon US-1. If a customer is on Falcon US-2, please use this link.
Please sign in to leave a comment.